If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Unique security problem - data security under fire

Hello,

I'm a member of a non-government, non-profit voluntarily organization that focuses on teaching military skills and passing the associated values to young adults. The organization is state-independent, but it maintains friendly relations and loose co-operation with the government of it's country.

It was decided that a central database would be a valuable and practical tool to address specific logistical and organizational challenges. While the data is in itself harmless, it's security is critical.

If you have ever watched the classic movie Red Dawn you probably already know why the confidentiality of such data is essential. The premise of this film is of a foreign army invading the United States. One of the first things the invaders do after establishing foothold is confiscating documents containing the personal information of citizens who have bought firearms, seeing them as a potential, if not immediate, threat. It's a good example of truth in fiction.

There is every reason to believe that today a similar approach would be used in regards to electronic data - especially with cyberwarfare being the new media buzzword. The requirements here differ from plain "civilian" data security, as the party willing to obtain this kind of data will:

1) Have immediate and unrestricted access to the server, perhaps attempt to seize this data in a covert manner before any overt actions are taken.

2) Not hesitate to use any and all methods of coercion that would be considered effective in order to obtain said data.

3) Be expected to employ qualified personnel in fields of cryptography, computer forensics and security.

4) Be expected to ignore arguments of plausible deniability that would, in other circumstances, form a sufficient defense (in countries where password disclosure is mandatory, like the UK)

The data stored in such a database would not be crucial to the existence of the organization and it's permanent destruction would be fully acceptable if it were to prevent it's disclosure.

There exists a possibility of running this service anonymously, under an .onion address for example, however the goal isn't to provide security through obscurity. Hiding the service isn't by itself required, however this would enforce an adequate level of anonymity - otherwise every user is at risk of having his/her identity revealed. Most security problems are of PEBKAC variety and not everybody can be expected to have the necessary computer knowledge or awareness to use proxies or similar tools. That leaves those individuals at risk of having their identities easily compromised by having their home IP logged anywhere on the way to the intended host. On one hand using Tor means a guaranteed minimum level of anonimity at the cost of some overhead, on the other hand it does seem like overkill for the sole purpose of preventing careless users from connecting directly to the system with their home IP.

The server itself would definitely have to have it's own server room and full-system encryption. A power cutoff switch would be installed in every entry point to the room to make the retrieval of keys from the RAM a one-time opportunity. Using non-standard screws on the server casing and other simple physical barriers should make that particular vulnerability a non-issue.

The major difference in this scenario from a common "civilian" one is the need to address the possibility of individuals being coerced into revealing passwords or keyfiles by force.

The most obvious method to prevent the data from being obtained, as far as I see, is physical destruction using a remote kill-switch of sorts - but I'm not quite sure about how that would work in practice, or if anyone successfully managed to create a reliable and safe solution of this type.

The materials that would be the best for the job, or at least the ones I'd go for if I could, such as thermite, are illegal to posses and manufacture. In addition there is no guarantee that GSM networks or the internet will remain operational at the moment when the need to deploy such measures will arise, making satphones with a backup power source the only solution reliable enough - and that's not mentioning the technical challenge of making it at least do a tone-recognition or the cost of both creating and then maintanining such a device.

Unfortunately building a device that incinerates the HDDs with thermite, regardless of any steps taken to ensure safe operation and mitigate risk of fire, damage to equipment or injury to anyone, it still essentially amounts to clandestine bomb-making.

A remote kill-switch was the first thing to come to mind, however a solution which is as much as legally questionable is one that for obvious reasons can not be used. I am not aware of any other method that would remain operational for a reasonable time without external power, guarantee destruction of data in a short time-span, and at the same time remain stable, highly resistant to accidental/unintentional usage all while maintaining those qualities for a reasonable amount of time, 5 years or so.

Other than not putting the data out in the open in the first place, are there any more practical ideas for keeping that it safe under the outlined circumstances? I'd like to ask the community here for feedback, thoughts and ideas. What approach would be the most appropriate for this kind of data?

The front-end for the database will be done with some server-side language, at this point it could be anything from Ruby to PHP - at this time it's not that important but inherent inclination towards security and language maturity will be major factors.

I'll refrain from providing more details, though I'll gladly answer any relevant questions.

Regards

* Before anybody asks the stupid question of why would a non-govt organization need that kind of security: because gathering people's personal data makes one implicitly responsible for it's safety. Just because a total SHTF event may be a tangible threat only in the eyes of the tinfoil-hat crowd today, nothing absolves me of responsibility for what might happen to that data tomorrow or the day after that.

I am afraid that the basic answer to your question is "mission impossible". As I am sure you are aware, nothing is "secure"........all that security does is buy you time.

If somebody is determined enough and has the resources, they will get in..........I am afraid it is as simple as that.

It was decided that a central database would be a valuable and practical tool to address specific logistical and organizational challenges.

You need to ask yourself "by whom, and on the basis of what analysis?" This should be a part of your initial security assessment, and the question is whether the benefits of maintaining the data sufficiently outweigh the costs (dangers?) of establishing and maintaining the data in a secured environment. Please remember that data security is 24/7/365, so it is not a one off cost or effort. Also, there are far too many "control freaks" around who like to gather data for the sheer hell of it, or because it makes them feel important

While the data is in itself harmless, it's security is critical.

I am afraid that is an oxymoron................if security is critical, then it must be potentially harmful to someone. There is, of course, the aspect of regulatory or statutory compliance in respect of personal databases. Just because you can get the info. from the telephone directory and the electoral register doesn't mean that you don't have a legal obligation to attempt to secure it.

Incidentally, the description of your organisation and the scenarios you imply suggest to me that you are talking of a situation like in Libya right now?................I guess legal doesn't matter anymore................the shooting war has started? Anyways, you are only expected to take reasonable precautions, and that doesn't cover a bunch of guys with M-16s crashing in through your doors and windows.

If there is a problem with this, my only suggestion is that you do not keep the data in the first place.

The data stored in such a database would not be crucial to the existence of the organization and it's permanent destruction would be fully acceptable if it were to prevent it's disclosure.

Which brings its creation even more into question does it not?

That leaves those individuals at risk of having their identities easily compromised by having their home IP logged anywhere on the way to the intended host.

I really don't see that one at all. If you have a database of personal details, how does someones IP address going to matter? They are not as easy to trace as you seem to think, and you would need the assistance of the ISPs. By the time you had gotten that, all the subjects would probably be running around the streets with their M60s and AK47s. If you are thinking that a trace would be put on communications with your database server, I would suggest that your internal databases should not be generally available over the internet. If you want members to contact a website it should be on a different server, and possibly location.

A lot depends on how you connect to the internet as well. If you use a public library or unsecured WiFi hotspot, it provides a fair degree of anonymity, albeit with other security issues if you are careless about content.

Over here most people get a new IP address as soon as they log on anyways.

Other than not putting the data out in the open in the first place, are there any more practical ideas for keeping that it safe under the outlined circumstances? I'd like to ask the community here for feedback, thoughts and ideas. What approach would be the most appropriate for this kind of data?

Not really, as I cannot see a valid reason for having it "in the open" anyway, given that you want to make it secure? The two concepts are pretty much contradictory, and as soon as you involve more than a few dozen people with access rights; impossible as well.

At any rate, you will have been infiltrated long before then......trust me

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

Edit: I was in a hurry so this is a revised version of the post I wrote earlier.

The database would be used to coordinate the bureaucracy and logistics of the separate units spread across the country. Entities that would be interested in gauging the manpower, training, morale and other aspects of such an organization would with no doubt wish to obtain this information so a more accurate threat assessment can be made, preferably in a covert manner. However even as such, the leaking of such information would not be immediately harmful - or without strict auditing - probably not even noticed.

The situation changes when, this being a hypothetical scenario, a hostile party would engage in armed conflict within the territorial borders of this country. At this point such information compromises the identities of all members. Not only that, it would also reveal the command structure of local units, not to mention a good idea of the capabilities and training of each, giving more than enough information a malicious element would need to dispatch those persons. It can be expected that such individuals would be considered priority targets along with reservists, former officers and others whose skills, experience or motivation could be used in a variety of ways to foil the realization of the hostile element's objectives or reduce their effectiveness.

The reason a central database was suggested in the first place is that all units have some sort of similar system already in place. A lot of sensitive information is stored on easily accessible places with little real security to speak of. In addition there are no specific guidelines on internet security, neither mandatory nor even suggested - in many cases obtaining this kind of information is all to easy, as security experts (and I never claimed I'm one) aren't that common. Even in places where some rudimentary security is in place, it can still be easily defeated by forcing the person to divulge the information by known means.

Hence the idea of a central database that would replace all those separate and vulnerable ad-hoc improvised solutions and consolidate them into one system that focuses on data security and providing anonymity to a degree not possible to achieve for smaller organizational segments, due to lacking funds, expertise or even little awareness of the true seriousness of how dangerous a threat like that is.

Even if "classic" steps are taken to provide some degree of anonymity, such as obscuring the faces and name-tags in pictures meant specifically for public release, few people realize how easily accessible data stored online is. Nontheless, it is the most convenient form of communication and seeing as how, gaping security hole aside, is used by virtually all branches of the organization already, it would be a hard sacrifice to make - throwing the baby out with the water, if you will. That's why a system designed to address the particular needs of such an organization would be preferable, as it would provide an incomparably higher level of security and still provide the functionality and convenience of existing online systems

Which brings its creation even more into question does it not?

Not really. The system is specifically designed for easing and streamlining organizational issues during times of peace. The event that would create the necessity of purging such a system would be the same event that would result in the activation of specific protocols, a change of standing orders and evaluating and adapting to the situation in the manner deemed the most appropriate. If this were to happen, the online database system would not only lose all usefulness, but also become a dangerous liability.

and you would need the assistance of the ISPs.

Again, should the hostile party be denied that kind of information, it may well use force to obtain it, if it considers that particular individual worth the effort of tracking him down.

At any rate, you will have been infiltrated long before then......trust me

Access control to the online system is one issue, infiltration by hostile collaborators is another. The first can be monitored to some extent using security auditing and minimizing privileges. The second is an issue I probably would be the last person qualified to address.

Returning to the topic at hand - the security of this central server:

For those too lazy to read, here are the key points:

1) The data must not under any circumstance become plainly visible in unencrypted form to a hostile party. Data destruction is a perfectly acceptable outcome.

2) Any person who may know the password will be forced to reveal it in a short time-span

3) The data has to be kept safe against both covert attempts to retrieve it, which means keeping it safe from hackers and burglars, as well as overt intrusions.

4) There exists a possibility that the data will have to be permanently made unrecoverable even in the event of power and GSM failure.

I realize this is a difficult problem and not a very common one. But "mission impossible" is not the kind of answer I was looking for. The database won't contain anything as important as launch codes and fission bomb schematics - it's sufficient to make the retrieval of this data too impractical and costly for it's value, not necessarily impossible.

Last edited by MidnightWarrior; March 1st, 2011 at 07:57 PM.
Reason: Did not have the time to word this properly

You have a government and a regular and reserve army, navy and airforce? not to mention counter-intelligence, national security and regular law enforcement agencies? For you guys to have any relevance whatsoever, they must have all lost to this hypothetical hostile threat? And what about all those expensive nukes?

And you seriously think that you can do anything by adopting the same management structure as the losers?

Hell, the bad guys can even coerce info from the ISPs?..............you are OWNED my friend, and big time.

//Aside//.............how long do you think it would take for your armed forces and agencies to belly-up? could they buy you enough time to wipe a server? //

The only kind of resistance you could hope to provide is guerrilla warfare.............and you don't use databases for that.

The database would be used to coordinate the bureaucracy and logistics of the separate units spread across the country.

Terrorists and guerrillas don't work like that.........when they do, they lose........didn't anyone learn from Vietnam? You don't do bureaucracy and logistics.

The situation changes when, this being a hypothetical scenario, a hostile party would engage in armed conflict within the territorial borders of this country. At this point such information compromises the identities of all members. Not only that, it would also reveal the command structure of local units,

That should not be on record...........guerrilla warfare is cellular by nature, with easily broken links................so, for that matter is terrorism?

If you can train someone to use weapons effectively, you can train them to use a computer system............you just need a secure local system that all users know and understand and IMPLEMENT.

A location should be a code, a unit should be a code, and an individual should be a number and skill code. Nobody higher up should be able to identify rank and file individuals. All they need to know is operational area, strength and skills?

At the beginning of WWII (that's the proper beginning, not 1941) the British had a plan for a German invasion of England. They had around 4,500 "suicide troops" organised into units in the South (English Channel end ). They were divided into cells of around 8~12 and had their own little bunkers or hidey holes to live in. Their maximum life expectancy was no more than 10 days...............

One of them had a Lee Enfield .22 rifle, Parker Hale Silencer, and Cooke Trout & Simms scope sight...........I have shot one.....very nice, unless you were the local cop or postman etc........take them out first, then they can't collaborate?

Which leads me on:

1. Are you guys prepared to die without question?
2. Are you prepared to kill your own without question?

If not, then you might as well give up.

Errrrr...........as for destroying the server............you must have guys who know about IEDs?

Make sure that your server is in a room with a stud partition wall to a storeroom where they keep the consumables for the swimming pool and motor pool....................two good kicks gets rid of a stud partition wall...........then you need the guy who meets #1 above.....

There won't be much of the server left, but you would have to weigh his coffin down with sandbags for appearances sake.

You can buy the ingredients quite legally, and they come from quite different suppliers. Not sure about health and safety storage regs, but you could always switch containers?

Beauty is, you don't have to make an illegal device, just get the ingredients in contact with eachother and they will do the rest.

Naturally, it has occurred to me that you guys might be plotting to overthrow the democratically elected government of the United States of America?

Now, let me first say that is Obama's job not yours; but I will help out by sending you forms to join the British Commonwealth and the European Monetary Union................a surefire win/win

I guess my final question would be: what do your management see your organisation's role as being in this scenario?

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

I'll put this as clearly as I can. Local units are currently using a plethora of various shoddy web solutions, ranging from outdated and vulnerable free scripts, modified versions of existing software that never went though the proper auditing and ending with solutions that are completely inappropriate for the job. The reason for developing a central system/database is to replace all of those local ad-hoc solutions with one that is built from the ground up expressly for the specific needs of such an organization - focus is put on maximum security, privacy, constant auditing and strict limitation of access. Individual units are incapable of properly securing their data by their own. Instead of a number of sloppy and potentially dangerous solutions the idea is to replace all of those by one system that implements the level of security otherwise not attainable by individual units alone.

What I tried to make clear is that such a system serves only as a bureaucratic aid only during the time when there is no threat to speak of. Once such a threat appears the system would become a huge liability and would be taken down permanently and immediately. The immediacy and reliability of this take-down being a requirement.

On the other hand permanently and irrecoverably erasing the data present on dozens of different servers, as it is today, different software and hardware configurations by the appointed people, whose computer skills may often be insufficient, is a recipe for disaster - assuming there's still power to wipe anything off some remote commercial server.

In case it's still not perfectly clear: The server and database is a bureaucratic crutch, not a combat implement. Never was meant to be one. If you'd read my previous post with a bit more attention you'd realize that I stated that in the event of a SHTF, let me quote myself,

The event that would create the necessity of purging such a system would be the same event that would result in the activation of specific protocols, a change of standing orders and evaluating and adapting to the situation in the manner deemed the most appropriate.

I'm not at liberty to discuss the specifics of how would or how should particular situations be addressed. Neither am I the person to make those calls nor is this a place where I would engage in debates of this kind. If you feel you can't live without knowing what HQ's got planned, send me a PM and I'll direct you to the place where you can recieve whatever answer will be considered appropriate.

In addition as long as I am a law-bound citizen I don't wish to discuss lawless acts such as IED construction. As I stated previously the killswitch needs to be a device that raises no doubt as to whether it's production, posession and use is within the law.

On a sidenote, even if I personally agree with a lot of what you're saying, that means nothing.

Just to calm your fears I have never set foot on US soil and have no intention of doing so. You never know whose names might have accidentally gotten on those extraordinary rendition lists, and I feel topics like this one aren't helping.

I'm actually kind of flattered by that remark, but let me assure you I'm not referring to anything as conspicuous or sinister as the shriners. What gave you that impression anyway? Please tell me you're not one of those Alex Jones supporters?

While all this may be fascinating stuff, let's not derail this thread too much.

Just because a total SHTF event may be a tangible threat only in the eyes of the tinfoil-hat crowd today, nothing absolves me of responsibility for what might happen to that data tomorrow or the day after that.

I think that says it all

MLF

How people treat you is their karma- how you react is yours-Wayne Dyer

I'll put this as clearly as I can. Local units are currently using a plethora of various shoddy web solutions, ranging from outdated and vulnerable free scripts, modified versions of existing software that never went though the proper auditing and ending with solutions that are completely inappropriate for the job. The reason for developing a central system/database is to replace all of those local ad-hoc solutions with one that is built from the ground up expressly for the specific needs of such an organization - focus is put on maximum security, privacy, constant auditing and strict limitation of access. Individual units are incapable of properly securing their data by their own. Instead of a number of sloppy and potentially dangerous solutions the idea is to replace all of those by one system that implements the level of security otherwise not attainable by individual units alone.

OMG....that thar sounds like my local government .....and yours too

MLF

How people treat you is their karma- how you react is yours-Wayne Dyer